I want to review some notes from another previous Digital Forensics challenge. I will not present anything in here that no one hasn’t seen somewhere else and this is NOT A REAL FORENSICS investigation and nor am I a real forensics expert or professional. I’m a student learning providing some of the very little I know.

I am only putting up notes if you actually want the reports and evidence files I used, please just ask and I would be glad to put them up. Honestly I have never done anything with volatility up until this point and this was the first rabbit hole I really went down in the field of forensics. I have played with a lot of forensics tools by I am by no means an expert. This is also stuff from last November.

These commands are for some people who want to get started with some really awesome memory forensics.

Using Volatility 2.0 inside a Backtrack 5 Virtual machine Run by VMWare Workstation 8 I ran the following commands to obtain software information like running processes, dll, connections, and sid information and exported the information to report text files.

– The hivelist command locates where the registry hive files reside in memory so we can run registry ripper against them.

The following commands where used to export system hive file reports with reg ripper against the provided system hive files because his program can examine registry hive files and export evidence reports into easy to read text format documents.

Follow

Social Goodness

Tags

History

History

DISCLAIMER - The Contents of this blog, website, comments, and other resources do not represent any viewpoints or opinions of employers, associated organizations, and anyone else related to me in anyway. This is my Blog and I reserve the right to content on it and the opinion it represents.